Security patch for SolaX Pocket WiFi is available

In the last month or so we have received a number of emails from people getting in touch saying that they had received a software update for their SolaX inverter’s Pocket WiFi device that includes a cyber security improvement.  They had read our previous work and had got in contact with SolaX to ask for more information. To their surprise they were offered a software patch to improve the security of the system.

It seems that if you want the software update you have to get in touch with them and they perform the update on your behalf.  There is no known automatic update, or self service option.  The vendor needs to login to your device and apply the software update.

We did this on our test device and as described, SolaX pretty promptly performed the update.  Rather worryingly though, they didn’t need any help to do it – we just simply needed to confirm a couple of minor details, predominantly the serial number, and away they went.  The update took less than 15 minutes.

The update provides one security improvement – it is now possible to disable the WiFi hotspot which means CVE-2023-35835 is effectively resolved.  With any luck, SolaX will get the other two resolved soon too.